Posts Tagged ‘Malware’

Articles

Malware for beginners: those apocalyptic emails…

In Malware,Malware for beginners on February 2, 2011 by tecnologyantivirus Tagged: , ,

Published by Javier Guerrero, February 2011

Even though the protagonist of this new chapter in the Malware for Beginners series is no malware specimen, it does share a couple of features with viruses, Trojans and other threats: You can easily find them in your email inbox and they can be really annoying. Yes, we are referring to those scary, apocalyptic email messages…

Yes, you know, those messages that friends and colleagues forward to you -with the best of intentions- to let you know about the latest virus, or a threat so deadly that can blow up your computer, kill your dog with some mysterious radiation and turn your granny into a blood-craving zombie… And for which there is no cure, of course.

Well, seriously now, this type of email is quite frequent. Even though these emails are not dangerous in themselves and are not aimed at defrauding anybody, they alarm people by taking advantage of their lack of knowledge and fear, as they don’t really know the reality and limitations of malware.

Not so long ago I myself received one of these messages, which you can see below loosely translated:

Let’s take a look at sentences like “This is a virus that burns your entire hard disk”. They could have used the term “delete” or “format”, but obviously “burn” is far more spectacular. Of course, no virus can damage a hard disk like that. And do not forget that recommendation, This is the reason why you must send this email to all your contacts. Is there any email user who doesn’t hate this sentence? 🙂

Anyway, the scariest bit comes in the second paragraph, where you are prompted to “Shut down your computer immediately” without even opening the message, or you are said there is no fix for this threat. Finally, they even mention CNN’s coverage of the story, and Microsoft, which classifies this virus as the most dangerous ever.

To sum up: One thing is to inform users about the dangers of malware, and another one is to raise confusion and scare people for no reason with the sole purpose of achieving notoriety.

Finally, keep an antivirus installed and update it frequently. This is your barrier against spam and phishing.If you are not sure about something during the installation or update processes, don’t leave it for later. Look for the appropriate solution in the support forums available to you for any queries you might have.

Javier Guerrero Díaz
. R+D – Development Dept.
Panda Security

==============================================================================
Javier Guerrero works in Panda Security as a technical specialist and analyst/programmer. Since joining the company in 1998 he has taken part in numerous projects, almost always involved with kernel layer technology: the first Panda Platinum, Panda Security and Panda Security for Networks, firewall and TruPrevent technologies, file permanent protection modules, Shield and the Cloud AV interception layer, etc. He currently works in the Interception Unit and is responsible for various Cloud AV components.
Advertisements

Articles

Top Five malware in 2010. Protect yourself against them with Panda Antivirus!

In Malware,Uncategorized on January 19, 2011 by tecnologyantivirus Tagged: , ,

Posted by Blanca Carton, January 2011

Every year, PandaLabs, Panda Security’s anti-malware laboratory, publishes an annual malware report discussing the year’s most virulent threats. In 2010, this task was made all the more difficult as PandaLabs had to analyze and shift through no less than 20 million new viruses.

This report is also used as the basis for the company’s ‘Virus Yearbook’, which rather than a definitive list of threats that have infected most computers or caused more damage, is simply a summary of some of the viruses that, for one reason or another, have caught our eye.

Here are the Top Five:

  1. The mischievous Mac lover: This title has been earned by a remote-control program with the worrying name of HellRaiser.A. It only affects Mac systems and needs user consent to install on a computer. Yet once installed, it can take remote control of the system and perform a whole host of functions… it can even open the DVD tray!
  2. The Good Samaritan: Surely some of you will have guessed… Bredolab.Y comes disguised as a message from Microsoft Support claiming that a new security patch for Outlook has to be installed immediately… But watch out! If you download it you will have installed the SecurityTool rogueware, which will start telling you that your system is infected and that you should buy a certain solution to fix it. Of course, if you pay for the program, you will never receive it, it will not resolve the problem and that’s the last you will see of your money…
  3. Linguist of the year: Our award for the linguist of the year goes to MSNWorm.IE. This virus, which in itself is nothing special, is distributed via Messenger with a link tempting the user into viewing a photo… in 18 languages!
  4. The most annoying: Remember how viruses used to be? Or those ‘jokes’ that once installed would ask: “Are you sure you want to close the program? Yes – No?”. No matter what you clicked, the same screen would appear: “Are you sure you want to close the program?”, time and time again, enough to try the patience of a saint… Well that’s what this worm does: Oscarbot.YQ. Once it is installed, start praying, or doing yoga, or meditating… whatever you can think of, because it will drive you mad. Every time you close it, another screen opens asking another question, or opening a browser window, or… The most annoying, without a doubt.
  5. Insect of the year: We would like to make special mention of the Mariposa (Butterfly) botnet, which was dismantled in March and led to the arrest of the creators thanks to the collaboration between Panda Security, the Spanish Civil Guard, FBI and Defense Intelligence… Like a true insect, it fed on the nectar of other people’s computers, flitting from one to another… and compromised a total of 13 million computers around the world.

How to protect yourself against attacks

The first rule is to use your common sense. If you receive an email message with attachments from a dubious source, delete it.

Be careful when surfing the Web. Avoid downloading programs from unknown websites. And even if you know the source, stay alert and take all necessary precautions before opening them.

Finally, to be completely protected it is essential that you have an antivirus installed and updated, regardless of whether your operating system is Windows or Mac.

Remember, if you have any questions about the operation of your product, you can always find the answers in the articles published on the Panda Security support website, in the videos posted on our YouTube Support Channel or by contacting our expert technicians through the Tech Support forum.

===============================================================================

This is an extract from the Post published by PandaLabs Recaps Year of Malware with its Virus Yearbook 2010

Articles

Malware for beginners: fake antivirus programs

In Malware,Malware for beginners on November 3, 2010 by tecnologyantivirus Tagged: , ,

Published by Javier Guerrero, November 2010

Many people think that when antivirus companies talk about the vast number of malware threats that exist, they are exaggerating in order to sell their software. In other words, they are scaremongering to frighten users into buying their products. That’s why when I write articles about malware, I like to refer to first-hand experiences, as I am going to do in this post.

Some time ago a friend called me, concerned because his computer displayed a window notifying him that it had been infected by malware; specifically 42 examples of all types of malware: viruses, spyware, adware, Trojans… This was a bit of a shock, as his anti-malware solution had only detected a couple of threats, which in theory it had deleted. What’s more, these warnings did not come from the antivirus, and neither would they let him eliminate the infection.

As I guessed his antivirus might’ve been out of date, I suggested he looked for a second opinion, and used our Panda ActiveScan free online scanner.

However, my friend was unable to install the ActiveScan scan module, neither with Internet Explorer nor with Firefox; something was stopping it. In fact, it had become virtually impossible to use the computer, so he couldn’t browse the Web, install or uninstall applications. It seemed that his computer had been hijacked by this application.

My suspicions were confirmed when (on going round to his house) I could see the window in question. It belonged to a (supposed) security product called “Personal Security”:

However, the problems I mentioned before suggested there was something dubious about this software. Also, my friend was quite sure he had not installed this product, at least not in the way one normally installs a product in Windows. It was also highly suspicious that his antivirus had not detected all the malware displayed in the window.

The conclusion was obvious: This was a fake or rogue antivirus.

What is a Rogue Antivirus?

This is a malicious application which, in the guise of a trial version of a normal antivirus, tries to trick users into believing that their computers have been infected by numerous examples of malware.

What’s the aim?

Money, of course. Users are then forced to buy a ‘full version’ of the application if they want to ‘disinfect’ their computers. Many people fall for this, either unwittingly, or because they want the system to return to normal.

The rogue antivirus we are talking about today displays the following window:

And obviously, there is a form in which victims are prompted to enter their personal and bank details.

This type of malware is now widespread, largely because it is successful in tricking many people, as the graphic interfaces used (windows, buttons, etc.) are often very professionally crafted.

For example, this particular fake antivirus displays a warning which is similar in appearance to the Windows Security Center:

How to avoid them

The careful and professional design of many of these programs make them particularly dangerous, as they will fool many users with little knowledge of IT security.

Although much of the usual advice we offer (use a good up-to-date antivirus, don’t download unknown programs, take care with USB devices, etc.) is just as valid in these cases, it is particularly important to be careful with the websites you visit.

One of the most common techniques used for spreading these fake programs is known as “Blackhat SEO” (we will talk about this in the next post), which basically manipulates Web search results, including links to malicious pages used to infect users. These pages provoke false infection warnings, prompting the user to click a button to download or install the product.

You should never click on any part of these windows, as this will start installation. In these cases try closing all windows using the ALT-F4 key combination, although the infection may have already taken place.

So, What happened to my friend?

We managed to resolve the problem by starting up in safe mode and manually deleting all files and registry entries corresponding to the fake antivirus. Of course we had to get this information through another computer, as the system had been completely hijacked by the intruder.

To end this post, I would just like to answer the question set out at the beginning: Yes, the threat of malware is real. We are not exaggerating it in the slightest.

===============================================================================
Javier Guerrero works in Panda Security as a technical specialist and analyst/programmer. Since joining the company in 1998 he has taken part in numerous projects, almost always involved with kernel layer technology: the first Panda Platinum, Panda Security and Panda Security for Networks, firewall and TruPrevent technologies, file permanent protection modules, Shield and the Cloud AV interception layer, etc. He is currently part of the interception unit and is responsible for the file and process interceptors in Panda Cloud Antivirus.

Articles

Malware for beginners: fake antivirus programs

In Malware,Malware for beginners on November 3, 2010 by tecnologyantivirus Tagged: , ,

Published by Javier Guerrero, November 2010

Many people think that when antivirus companies talk about the vast number of malware threats that exist, they are exaggerating in order to sell their software. In other words, they are scaremongering to frighten users into buying their products. That’s why when I write articles about malware, I like to refer to first-hand experiences, as I am going to do in this post.

Some time ago a friend called me, concerned because his computer displayed a window notifying him that it had been infected by malware; specifically 42 examples of all types of malware: viruses, spyware, adware, Trojans… This was a bit of a shock, as his anti-malware solution had only detected a couple of threats, which in theory it had deleted. What’s more, these warnings did not come from the antivirus, and neither would they let him eliminate the infection.

As I guessed his antivirus might’ve been out of date, I suggested he looked for a second opinion, and used our Panda ActiveScan free online scanner.

However, my friend was unable to install the ActiveScan scan module, neither with Internet Explorer nor with Firefox; something was stopping it. In fact, it had become virtually impossible to use the computer, so he couldn’t browse the Web, install or uninstall applications. It seemed that his computer had been hijacked by this application.

My suspicions were confirmed when (on going round to his house) I could see the window in question. It belonged to a (supposed) security product called “Personal Security”:

However, the problems I mentioned before suggested there was something dubious about this software. Also, my friend was quite sure he had not installed this product, at least not in the way one normally installs a product in Windows. It was also highly suspicious that his antivirus had not detected all the malware displayed in the window.

The conclusion was obvious: This was a fake or rogue antivirus.

What is a Rogue Antivirus?

This is a malicious application which, in the guise of a trial version of a normal antivirus, tries to trick users into believing that their computers have been infected by numerous examples of malware.

What’s the aim?

Money, of course. Users are then forced to buy a ‘full version’ of the application if they want to ‘disinfect’ their computers. Many people fall for this, either unwittingly, or because they want the system to return to normal.

The rogue antivirus we are talking about today displays the following window:

And obviously, there is a form in which victims are prompted to enter their personal and bank details.

This type of malware is now widespread, largely because it is successful in tricking many people, as the graphic interfaces used (windows, buttons, etc.) are often very professionally crafted.

For example, this particular fake antivirus displays a warning which is similar in appearance to the Windows Security Center:

How to avoid them

The careful and professional design of many of these programs make them particularly dangerous, as they will fool many users with little knowledge of IT security.

Although much of the usual advice we offer (use a good up-to-date antivirus, don’t download unknown programs, take care with USB devices, etc.) is just as valid in these cases, it is particularly important to be careful with the websites you visit.

One of the most common techniques used for spreading these fake programs is known as “Blackhat SEO” (we will talk about this in the next post), which basically manipulates Web search results, including links to malicious pages used to infect users. These pages provoke false infection warnings, prompting the user to click a button to download or install the product.

You should never click on any part of these windows, as this will start installation. In these cases try closing all windows using the ALT-F4 key combination, although the infection may have already taken place.

So, What happened to my friend?

We managed to resolve the problem by starting up in safe mode and manually deleting all files and registry entries corresponding to the fake antivirus. Of course we had to get this information through another computer, as the system had been completely hijacked by the intruder.

To end this post, I would just like to answer the question set out at the beginning: Yes, the threat of malware is real. We are not exaggerating it in the slightest.

===============================================================================
Javier Guerrero works in Panda Security as a technical specialist and analyst/programmer. Since joining the company in 1998 he has taken part in numerous projects, almost always involved with kernel layer technology: the first Panda Platinum, Panda Security and Panda Security for Networks, firewall and TruPrevent technologies, file permanent protection modules, Shield and the Cloud AV interception layer, etc. He is currently part of the interception unit and is responsible for the file and process interceptors in Panda Cloud Antivirus.

Articles

Malware for beginners: Keyloggers

In Malware,Malware for beginners,Uncategorized on October 13, 2010 by tecnologyantivirus Tagged: , , ,

Published by Javier Guerrero,  October 2010

We use the term malware to refer generically to the multiple threats to which IT systems are exposed every day. However, this word covers a whole range of concepts with which, on the whole, most users are unfamiliar.

Although this is perfectly understandable (one of my favorite maxims is that “you don’t need to be mechanic to drive a car”), it’s not a bad idea to have an understanding of the mechanisms used by the different types of malware. So let’s start with something simple: keyloggers.

A keylogger is simply a component (generally software, although hardware-based keyloggers also exist) that registers keystrokes on a keyboard without the user’s knowledge.

Not too nasty really, is it? Nothing could be further from the truth. Keyloggers are used to steal information entered by users, such as:

  • User names and passwords for starting OS sessions social network credentials.
  • Credit card numbers. Keyloggers are a crucial element of many banker Trojans that steal this type of data and send it to hackers, who profit financially at the expense of unwitting users.In fact, most banks now implement measures in their Web services to protect against this threat, such as virtual keyboards.

In any event, the advice that we generally give for other types of malware also applies for keyloggers:

  • Don’t download or run files from dubious sources
  • Only browse trusted sites
  • Use a good, up-to-date security suite.

And, of course, use your common sense. These are the best weapons in the fight against malware.

===================================================================================
Javier Guerrero works in Panda Security as a technical specialist and analyst/programmer. Since joining the company in 1998 he has taken part in numerous projects, almost always involved with kernel layer technology: The first Panda Platinum, Panda Security and Panda Security for Networks, involving firewall and TruPrevent technologies, file residents, Shield and the Cloud AV interception layer. He is currently part of the interception unit and it is responsible for the file and process interceptors in Cloud AV.

Articles

The ‘Anonymous’ cyber-protest group calls for an attack on SGAE tonight

In Malware on October 7, 2010 by tecnologyantivirus Tagged: , ,

Published by Luis Corrons, October  7, 2010

Latest news!!

According to Tieve.tk, the ‘Anonymous’ cyber-activist group, has called on its community to launch a distributed denial of service attack (DDoS) at midnight (00:00h CET) October 7 against the Spanish copyright protection society (SGAE). This group, in an initiative called “Operation Payback”, has been launching denial of service attacks against various targets in recent weeks as a response to the attempted closure of free file-sharing websites.

SGAE

A distributed denial of service attack (DdoS) involves launching numerous requests at a server hosting the Web page so that the hosting service cannot cope with the load and the server ‘crashes’, i.e. the service is suspended. In this case, for example, anyone trying to access the SGAE website may not be able to reach the domain.

On September 17 we witnessed what could be deemed the first organized mass cyber-protest on the Internet, against the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA), bodies that set out to protect copyright and distribution rights, as a response to the action that both these organizations have been undertaking against free file-sharing sites: they had contracted an Indian software company to launch attacks against sites such as The Pirate Bay, forcing them to close.

Details of the attacks, which have been monitored in real-time by our researcher Sean-Paul Correll are available here.

Articles

The ‘Anonymous’ cyber-protest group calls for an attack on SGAE tonight

In Malware on October 7, 2010 by tecnologyantivirus Tagged: , ,

Published by Luis Corrons, October  7, 2010

Latest news!!

According to Tieve.tk, the ‘Anonymous’ cyber-activist group, has called on its community to launch a distributed denial of service attack (DDoS) at midnight (00:00h CET) October 7 against the Spanish copyright protection society (SGAE). This group, in an initiative called “Operation Payback”, has been launching denial of service attacks against various targets in recent weeks as a response to the attempted closure of free file-sharing websites.

SGAE

A distributed denial of service attack (DdoS) involves launching numerous requests at a server hosting the Web page so that the hosting service cannot cope with the load and the server ‘crashes’, i.e. the service is suspended. In this case, for example, anyone trying to access the SGAE website may not be able to reach the domain.

On September 17 we witnessed what could be deemed the first organized mass cyber-protest on the Internet, against the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA), bodies that set out to protect copyright and distribution rights, as a response to the action that both these organizations have been undertaking against free file-sharing sites: they had contracted an Indian software company to launch attacks against sites such as The Pirate Bay, forcing them to close.

Details of the attacks, which have been monitored in real-time by our researcher Sean-Paul Correll are available here.